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ARTICLE  INFO  ABSTRACT 


Public  key  management  in  mobile  ad  hoc  networks  (MANETs)  has  been  studied  for  sev¬ 
eral  decades.  However,  the  unique  characteristics  of  MANETs  have  imposed  great  chal¬ 
lenges  in  designing  a  fully  distributed  public  key  management  protocol  under  resource- 
constrained  MANET  environments.  These  challenges  include  no  centralized  trusted  enti¬ 
ties,  resource  constraints,  and  high  security  vulnerabilities.  This  work  proposes  a  fully  dis¬ 
tributed  trust-based  public  key  management  approach  for  MANETs  using  a  soft  security 
mechanism  based  on  the  concept  of  trust.  Instead  of  using  hard  security  approaches,  as 
in  traditional  security  techniques,  to  eliminate  security  vulnerabilities,  our  work  aims  to 
maximize  performance  by  relaxing  security  requirements  based  on  the  perceived  trust.  We 
propose  a  composite  trust-based  public  key  management  (CTPKM)  with  the  goal  of  max¬ 
imizing  performance  while  mitigating  security  vulnerability.  Each  node  employs  a  trust 
threshold  to  determine  whether  or  not  to  trust  another  node.  Our  simulation  results  show 
that  an  optimal  trust  threshold  exists  to  best  balance  and  meet  the  conflicting  goals  be¬ 
tween  performance  and  security,  by  exploiting  the  inherent  tradeoff  between  trust  and 
risk.  The  results  also  show  that  CTPKM  minimizes  risk  (i.e.,  information  leakout)  using  an 
optimal  trust  threshold  while  maximizing  service  availability  with  acceptable  communi¬ 
cation  overhead  incurred  by  trust  and  key  management  operations.  We  demonstrate  that 
CTPKM  outperforms  both  existing  non-trust-based  and  trust-based  counterparts. 
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1  1.  Introduction 

2  In  resource-constrained  mobile  ad-hoc  networks 

3  (MANETs),  it  is  inefficient  to  employ  cryptographic  tech- 

4  niques  for  key  management  due  to  high  computation  and 

5  communication  overhead  as  well  as  network  dynamics 

6  that  could  require  frequent  key  reassignments.  In  addi- 

7  tion,  the  unique  nature  of  MANETs  does  not  allow  any 

8  centralized  trusted  certificate  authority  (CA)  to  deal  with 

9  all  key  management  operations,  including  key  generation, 
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distribution,  update,  and  revocation.  Essentially,  it  is  in-  10 
feasible  to  build  a  system  using  hard  security  approaches  n 
(e.g„  encryption  or  authentication  techniques)  to  meet  the  12 
dual  goals  of  performance  (i.e.,  efficiency)  and  security  13 
due  to  the  inherent  tradeoff.  In  this  work,  we  take  a  soft  14 
security  approach  by  applying  the  concept  of  trust  to  meet  15 
both  performance  and  security  requirements.  16 

The  concept  of  “trust”  originally  is  derived  from  so-  17 

cial  science  and  defined  as  the  degree  of  a  subjective  be-  18 

lief  about  the  behaviors  of  a  particular  entity  [1],  Blaze  19 
et  al.  [2]  first  introduced  the  term  “trust  management”  20 
and  identified  it  as  a  separate  component  of  security  ser-  21 
vices  in  networks.  They  explained  that  “Trust  management  22 
provides  a  unified  approach  for  specifying  and  interpret-  23 
ing  security  policies,  credentials,  and  relationships.”  Trust  24 
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management  in  MANETs  is  needed  when  participating 
nodes,  without  any  previous  interactions,  desire  to  estab¬ 
lish  a  network  with  an  acceptable  level  of  trust  relation¬ 
ships  among  themselves. 

Trust  management,  including  trust  establishment,  trust 
update,  and  trust  revocation,  in  MANETs  is  more  challeng¬ 
ing  than  in  traditional  centralized  environments  [3],  First 
of  all,  collecting  trust  evidence  to  evaluate  trustworthiness 
is  difficult  due  to  topology  changes  caused  by  node  mobil¬ 
ity/failure.  Further,  resource  constraints  often  confine  trust 
assessment  process  only  to  local  information.  The  dynamic 
nature  and  characteristics  of  MANETs  result  in  uncertain, 
incomplete  trust  evidence,  which  is  continuously  changing 
over  time  [3,4],  Cho  et  al.  [5]  comprehensively  surveyed 
trust  management  in  MANETs  recognizing  that  trust  orig¬ 
inates  from  various  domains  including  psychology,  sociol¬ 
ogy,  economics,  philosophy,  organizational  theory,  and  so 
on.  Cho  et  al.  [5]  suggested  that  the  following  properties  be 
considered  when  designing  trust-based  MANET  protocols: 
(1)  potential  risk;  (2)  context-dependency;  (3)  each  party’s 
own  interest  (e.g.,  utility/payoff  based  on  rational  selfish¬ 
ness);  (4)  learning  based  on  cognition/experience;  and  (5) 
system  reliability. 

Trust  management  has  diverse  applicability  in  many 
decision  making  situations  including  intrusion  detection 
[6,7],  authentication,  access  control,  key  management,  iso¬ 
lating  misbehaving  nodes  for  effective  routing  [6,8,9],  and 
many  other  purposes  [9],  In  addition,  the  concept  of  mul¬ 
tidimensional  trust  recently  has  been  explored  in  network¬ 
ing  and  computing  research  areas  and  applied  in  various 
security  services  [6,7,10-13],  Bao  et  al.  [6,7]  proposed  trust- 
based  secure  routing  and  intrusion  detection  mechanisms 
for  wireless  sensor  networks  by  considering  multiple  di¬ 
mensions  of  trust.  Cho  et  al.  [10,11]  and  Chen  et  al.  [12] 
proposed  trust  management  protocols  for  MANETs  or  de¬ 
lay  tolerant  networks  considering  multiple  trust  compo¬ 
nents.  However,  the  above  works  [6,7,10-12]  did  not  con¬ 
sider  trust-based  public  key  management  while  assuming 
a  pre-loaded  private/public  key  pair  in  each  node.  Very  re¬ 
cently  Mahmoud  et  al.  [13]  proposed  trust-based  secure 
and  reliable  routing  for  heterogeneous  multihop  wireless 
networks  where  competence  and  reliability  of  a  node  are 
estimated  and  used  to  derive  the  node  trust  level  that  can 
be  used  in  routing  decisions.  However,  Mahmoud  et  al. 
[13]  assume  the  existence  of  a  centralized  offline  trusted 
party  to  deal  with  public  key  management  including  is¬ 
suance,  distribution,  and  update  of  a  public/private  key 
pair  to  nodes  in  the  network.  Our  work  uses  distributed 
peer-to-peer  trust  evaluation  for  public  key  management 
using  three  trust  dimensions  capturing  the  unique  aspects 
of  trust  in  a  MANET. 

In  this  paper,  we  propose  a  composite  trust-based  dis¬ 
tributed  key  management  algorithm  (CTPKM)  for  MANETs 
without  using  a  centralized  trusted  CA.  Our  approach  falls 
under  the  category  of  certificate-based  public  key  man¬ 
agement.  The  proposed  protocol  is  designed  to  meet  a  re¬ 
quired  level  of  security  (e.g.,  the  fraction  of  valid,  correct 
and  uncompromised  public  keys,  and  information  risk)  as 
well  as  to  meet  performance  requirements  (e.g.,  service 
availability  and  communication  overhead),  without  relying 
on  trusted  third  parties  such  as  CAs.  The  proposed  protocol 


aims  to  achieve:  (a)  resiliency  against  misbehaving  nodes 
in  the  network  to  maintain  minimum  security  vulnerabil¬ 
ity;  (b)  availability  in  service  provision  in  the  presence  of 
compromised  nodes;  and  (c)  efficiency  in  minimizing  com¬ 
munication  overhead  incurred  by  trust  and  key  manage¬ 
ment  operations.  CTPKM  satisfies  the  requirements  of  self- 
organized  and  distributed  key  management  for  MANETs 
as  discussed  in  [14]:  (a)  no  single  point  of  failure,  i.e., 
no  trusted  third  party  is  required;  (b)  resilience  with  low 
security  vulnerability  in  the  presence  of  hostile  entities, 

1. e.,  little  exposure  of  a  compromised  key;  (c)  high  ser¬ 
vice  availability,  i.e.,  a  sufficient  number  of  valid,  correct 
public  keys  are  kept  in  each  node;  and  (d)  scalability,  i.e., 
low  communication  overhead  for  obtaining  a  valid/correct 
public  key  whose  corresponding  private  key  is  not  compro¬ 
mised. 

The  contributions  of  our  work  are  as  follows: 

1.  Relative  to  existing  non-trust-based  distributed  key 
management  algorithms  for  MANETs  without  using 
a  centralized  trusted  [15-19],  our  contribution  is  to 
develop  a  CTPKM  that  allows  each  node  to  make  lo¬ 
cal  peer-to-peer  trust  assessment  for  distributed  de¬ 
cision  making  based  on  a  composite  trust  metric. 
We  consider  multiple  dimensions  of  trust  (i.e.,  com¬ 
petence,  integrity,  and  social  contact)  that  are  esti¬ 
mated  based  on  evidence  derived  from  the  charac¬ 
teristics  of  communication,  information,  and  social 
networking  in  a  MANET.  This  allows  fast  and  safe 
propagation  of  the  keys  to  trustworthy  nodes  for 
preserving  quality-of-service  (QoS). 

2.  Relative  to  existing  trust-based  distributed  key  man¬ 
agement  algorithms  for  MANETs  without  using  a 
centralized  trusted  CA  [20-24],  our  contribution  is  to 
develop  a  threshold-based  filtering  mechanism  that 
can  effectively  exploit  the  inherent  tradeoff  between 
trust  and  risk.  The  end  result  is  that  CTPKM  is  able 
to  identify  the  optimal  trust  threshold  to  be  ap¬ 
plied  at  runtime  for  differentiating  trustworthy  vs. 
untrustworthy  nodes  to  maximize  key  management 
service  availability. 

3.  We  conduct  a  comprehensive  performance  analy¬ 
sis  comparing  CTPKM  with  both  non-trust-based 
and  trust-based  counterparts.  We  demonstrate  that 
CTPKM  outperforms  a  non-trust-based  baseline 
model  and  two  existing  trust-based  key  manage¬ 
ment  schemes  [20,21],  and  can  identify  an  optimal 
operational  setting  meeting  dual  conflicting  goals  of 
performance  and  security. 

The  rest  of  the  paper  is  organized  as  follows.  Section  2 
discusses  related  work.  Section  3  describes  the  system 
model  including  the  attack  model,  trust  model,  protocol 
description,  and  performance  metrics.  Section  4  conducts 
a  comparative  performance  analysis  and  reports  numerical 
results.  Section  5  concludes  our  paper  and  suggests  future 
work. 

2.  Related  work 

In  this  section,  we  discuss  existing  work  in  certificate- 
based  public  key  management  for  MANETs,  and  compare 
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and  contrast  them  with  our  proposed  CTPKM  (Section  2.1).  these  works  [22,24]  still  reveal  a  single  point  of  failure  and 

For  completeness,  we  also  survey  identity-based  did  not  show  specific  trust  models  and  attacks  considered. 


(Section  2.3),  threshold-based  (Section  2.2),  certificate-less 
cryptography  (Section  2.4),  and  combined  (Section  2.5) 
public  key  management,  and  provide  reasons  why  these 
other  approaches  (Sections  2.2-2. 5)  are  not  suitable  for 
public  key  management  for  MANETs. 

2.1.  Certificate-based  public  key  management 

Certificate-based  public  key  management  approaches  re¬ 
quire  public  keys  to  be  distributed  where  the  receiving 
party  should  be  able  to  authenticate  the  received  key 
based  on  the  certificate  of  the  public  keys.  Thus,  a  trusted 
CA  is  required  to  deal  with  key  management  operations 
including  key  generation,  distribution,  revocation,  and  up¬ 
date  [25], 

For  MANETs  without  trusted  CAs,  certificate-based  ap¬ 
proaches  should  operate  in  a  self-organized  way.  Capkun 
et  al.  [15]  proposed  a  certificate-based  self-organized  pub¬ 
lic  key  management  for  MANETs  by  removing  the  need  of 
a  centralized  trusted  entity  for  key  management.  However, 
the  assumption  of  being  able  to  create  certificate  graphs 
is  unrealistic  as  MANETs  suffer  from  unreliable  wireless 
transmission,  high  security  vulnerability,  and  dynamically 
changing  topologies.  The  criteria  being  used  by  a  user  to 
issue  a  public-key  certificate  of  another  user  are  not  pro¬ 
vided,  even  though  the  existence  of  a  public  key  is  used  as 
evidence  to  trust  another  node.  Further,  the  claimed  ben¬ 
efit  of  low  communication  cost  in  the  presence  continu¬ 
ous  updates  of  certificate  repositories  of  users  in  dynamic, 
hostile  MANETs  is  questionable.  The  authors  [20,24]  pro¬ 
posed  a  two-step  secure  authentication  protocol  for  multi¬ 
cast  MANETs.  In  order  to  deal  with  key  management,  they 
used  the  highest  trustworthy  node  as  a  CA  and  the  sec¬ 
ond  highest  trustworthy  node  as  a  backup  CA.  However, 
the  measurement  of  trust  values  is  not  clearly  described. 
Chauhan  and  Tapaswe  [16]  proposed  a  key  management 
approach  for  MANETs  with  no  trusted  third  entity.  This 
work  employs  a  group  leader  as  a  CA  to  manage  key  gen¬ 
eration  and  distribution.  However,  group  leader  selection 
is  done  randomly,  without  considering  its  trustworthiness 
and  specific  attack  behaviors.  Dahshan  and  Irvin  [21]  pro¬ 
posed  a  certificate-based  public  key  management  scheme 
for  MANETs  where  trust  is  used  as  authentication  metric 
to  represent  the  assurance  of  obtaining  a  valid  public  key. 
However,  this  scheme  generates  high  communication  over¬ 
head  and  delay  for  a  source  to  obtain  a  valid  public  key  of 
a  destination. 

Huang  and  Wu  [17]  proposed  a  certificate  path  discov¬ 
ery  algorithm  for  MANETs  based  on  the  hierarchical  PKI 
structure  using  multiple  CAs  with  no  specific  trust  frame¬ 
work.  Huang  and  Nicol  [18]  proved  that  the  shortest  cer¬ 
tificate  chain  does  not  guarantee  the  most  trustworthy 
path  to  obtain  the  public  key  of  a  target  node  due  to  dif¬ 
ferent  trustworthiness  observed  in  each  intermediate  node 
on  the  certificate  chain.  In  order  for  public  keys  and  their 
certificates  to  be  managed  by  trustworthy  CAs  in  the  hi¬ 
erarchical  public  key  management  structure,  Xu  et  al.  [24] 
and  PushpaLakshimi  et  al.  [22]  used  cluster  heads  as  trust¬ 
worthy  CAs  based  on  their  trust  in  the  system.  However, 


Wu  et  al.  [19]  proposed  a  key  management  protocol  for 
MAENTs  for  efficiency  in  updating  certificates  and  security 
in  key  revocation.  They  used  a  special  group  named  “server 
group”  consisting  of  servers  of  multicast  groups.  However, 
the  selection  algorithm  of  the  servers  in  the  server  group  is 
not  discussed.  Vinh  et  al.  [23]  employed  a  group  head  for 
public  key  management  in  a  group  communication  system 
where  the  group  head  is  selected  based  on  trust.  However, 
this  work  does  not  detail  the  used  trust  mechanism. 

Many  studies  used  certificate-based  public  key  manage¬ 
ment.  However,  they  have  brought  out  practical  limitations 
including  high  communication  overhead  or  delay  [15,21], 
and  using  static  trust  [20,22-24]  to  select  CAs.  In  addi¬ 
tion,  hierarchy-based  selection  of  CAs  (e.g.,  group  leaders 
or  cluster  heads)  [16-19]  also  reveals  high  security  vul¬ 
nerabilities  when  the  selected  CAs  are  compromised.  Our 
work  differs  from  the  above  works  in  that  we  devise  a 
trust  metric  considering  multiple  dimensions  of  a  node’s 
trust  and  leverage  it  for  decision  making  in  the  process 
of  key  management  and  group  communication  in  order 
to  achieve  system  goals  including  high  service  availability, 
low  communication  cost,  and  low  risk. 

Existing  certificate-based  public  key  management 
schemes  cited  above  expose  practical  limitations,  including 
needing  a  centralized  trusted  CA  [25],  high  communication 
overhead  or  delay  [15,21],  and  using  static  trust  [20,22-24] 
to  select  CAs.  In  addition,  hierarchy-based  selection  of 
CAs  (e.g.,  group  leaders  or  cluster  heads)  [16-19]  can  lead 
to  high  security  vulnerability  when  the  selected  CAs  are 
attacked  and  compromised. 

Unlike  [25]  our  work  does  not  use  a  centralized  trusted 
CA.  Unlike  [16-19]  cited  above,  our  work  uses  a  com¬ 
posite  trust  specifically  designed  for  public  key  manage¬ 
ment.  Peer-to-peer  trust  evaluation  is  dynamically  per¬ 
formed  over  time  upon  interactions  between  entities.  This 
novel  design  feature  contributes  to  (1)  detecting  malicious 
entities  that  have  been  compromised  over  time;  and  (2) 
issuing/distributing  a  public/private  key  pair  to  only  nodes 
that  maintain  a  certain  level  of  trust.  This  feature  also  miti¬ 
gates  the  security  vulnerability  issue  suffered  by  hierarchy- 
based  CA  selection  schemes  [16-19]  .  Unlike[15,21]  which 
incur  high  communication  overhead  or  delay,  we  develop 
a  threshold-based  filtering  mechanism  that  can  effectively 
exploit  the  inherent  tradeoff  between  trust  and  risk  in  or¬ 
der  to  achieve  system  goals  including  high  service  avail¬ 
ability,  low  communication  cost,  and  low  risk. 

2.2.  Threshold  public  key  cryptography 

Shamir  [26]  proposed  threshold  cryptography  based  on 
sharing  of  secrets  to  generate  a  private  key.  In  threshold 
cryptography,  the  private  CA  key  is  distributed  over  a  set  of 
server  nodes  through  a  (k,  n)  secret  sharing  scheme.  The 
private  CA  key  is  shared  between  n  nodes  in  such  a  way 
that  at  least  k  nodes  must  cooperate  in  order  to  sign  the 
certificates.  However,  a  central  trusted  CA  exists  to  select 
servers  as  the  coordinators  for  key  management,  result¬ 
ing  in  a  single  point  of  failure.  In  addition,  the  inherent 
weakness  of  the  secret  sharing  scheme  is  the  substantial 
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delay  when  the  set  of  trustworthy  server  nodes  cannot  be 
found  to  generate  the  private  CA  key  [27,28],  Besides,  when 
the  CA  is  compromised,  the  whole  system  is  compromised 
[29]. 

2.3.  ID-based  public  key  cryptography 

Shamir  [30]  also  proposed  the  concept  of  ID-based  pub¬ 
lic  key  cryptography  (ID-PKC)  which  generates  a  public  key 
based  on  the  ID  of  the  node  (e.g„  IP  or  email  address) 
and  its  corresponding  private  key  generated  by  a  trusted 
CA.  The  weakness  of  the  ID-based  scheme  is  well-known 
as  a  key  escrow  problem  which  exposes  high  security  vul¬ 
nerability  when  the  trusted  CA  is  compromised.  To  remove 
the  key  escrow  problem,  several  solutions  have  been  pro¬ 
posed  including  ID-based  authentication  schemes  [31,32], 
secure  private  key  generation  using  simple  blinding  tech¬ 
nique  in  pairing-based  cryptography  [33].  This  approach  is 
popularly  applied  in  resource-restricted  network  environ¬ 
ments  [34]  due  to  low  communication  overhead  by  reduc¬ 
ing  the  size  of  secret  information  (i.e„  ID)  to  generate  a 
public  key.  However,  these  works  assumed  the  existence 
of  a  trusted  entity  (or  entities)  to  issue  or  coordinate  pub¬ 
lic/private  key  pairs.  This  reveals  high  security  vulnerabil¬ 
ities  when  the  trusted  coordinators  are  compromised.  In 
particular,  no  trust  evaluation  is  considered  to  reflect  dy¬ 
namic  status  of  trust  in  entities  where  a  node  can  be  com¬ 
promised  over  time. 

2.4.  Certificateless  public  key  cryptography 

To  cope  with  the  communication  overhead  incurred  in 
exchanging  certificates,  the  concept  of  certificateless  pub¬ 
lic  key  cryptography  (CL-PKC)  is  introduced  [35],  CL-PKC 
is  a  variant  of  ID-PKC  devised  to  prevent  the  key  escrow 
problem  in  ID-PKC.  CL-PKC  uses  a  trusted  third  party  (TTP) 
which  generates  a  partial  private  key  to  an  entity  based 
on  a  master  key  and  the  entity’s  ID.  The  entity  then  gen¬ 
erates  its  actual  private  key  based  on  the  partial  private 
key  provided  by  the  TTP  and  its  secret  information.  By  this 
way  the  TTP  cannot  access  the  private  key  of  an  entity. 
Compared  to  traditional  public  key  cryptographic  systems, 
CL-PKC  does  not  require  the  use  of  certificates  to  ensure 
the  authenticity  of  public  keys,  leading  to  less  communica¬ 
tion  cost  generated.  Due  to  this  lightweight  feature,  CL-PKC 
has  been  used  for  securing  MANETs  [36-38],  However,  this 
cryptography  reveals  security  vulnerability  in  that  an  at¬ 
tacker  can  fake  a  user’s  public  key  because  the  part  of  the 
user’s  public  key  is  from  the  user’s  random  secret  value. 

2.5.  Hybrid  public  key  management 

Some  researchers  proposed  hybrid  public  key  man¬ 
agement  mechanisms  that  combine  the  features  of 
multiple  schemes  to  meet  the  requirements.  Sun  et  al. 
[39]  combined  ID-based  key  management  with  threshold 
cryptography  without  using  a  centralized  third  party  to 
deal  with  key  management.  Xu  et  al.  [24]  combined  cer¬ 
tificateless  public  key  cryptography  which  eliminates  the 
key  escrow  problem  with  threshold  cryptography  which 
does  not  require  a  centralized  third  party.  Zhang  et  al. 


[36]  proposed  an  ID-based  key  management  scheme  that 
combines  ID-based  cryptography  with  threshold  cryp¬ 
tography  to  enhance  security  and  reduce  communication 
cost  for  key  management.  Li  and  Liu  [40]  also  proposed  a 
hybrid  key  management  scheme  combining  ID-based  key 
management  and  threshold  cryptography. 

All  the  hybrid  schemes  cited  above  [24,36,39,40]  could 
not  completely  remove  the  need  of  a  centralized  trusted 
authority  because  ID-PKC  has  an  inherent  escrow  problem 
and  the  threshold  cryptography  requires  a  trusted  third  au¬ 
thority  to  select  trustworthy  multiple  key  servers  that  gen¬ 
erate  the  secret  shares  of  a  private  CA  key.  If  the  trusted 
entity  is  compromised,  the  entire  system  will  be  vulner¬ 
able.  In  addition,  the  use  of  threshold  cryptography  can 
cause  a  high  delay  when  generating  a  key  because  a  suf¬ 
ficient  number  of  multiple  trustworthy  servers  may  not  be 
available  in  dynamic  MANETs. 

3.  System  model 

We  consider  a  MANET  with  no  centralized  trusted  CA 
that  deals  with  public  key  management.  Nodes  are  devices 
carried  by  a  human  entity  (e.g.,  a  soldier  carrying  mobile 
devices),  modeled  with  heterogeneous  characteristics  with 
different  monitoring  capability,  which  affects  detection  er¬ 
rors,  group  join/leave  rates,  and  different  trust  levels.  To 
reflect  real  human  mobility  patterns  in  a  MANET,  we  used 
CRAWDAD  human  mobility  trace  data  collected  by  KAIST, 
Daegeon,  Korea  [41],  In  the  mobility  data  set,  the  locations 
of  92  human  nodes  over  the  university  campus  of  KAIST 
were  traced  by  CPS  readings  per  30  s  for  a  day. 

In  this  work,  a  public  key  may  have  the  following  sta¬ 
tus::  (1)  valid/invalid:  a  key  that  is  expired  or  not  yet  ex¬ 
pired;  (2)  correct/incorrect:  a  key  that  is  genuine  or  fake; 
and/or  (3)  uncompromised/compromised:  a  key  whose  cor¬ 
responding  private  key  is  compromised  or  not.  The  status 
of  the  public  key  can  belong  to  more  than  one  category 
among  three  while  each  category  gives  a  binary  status. 

3.1.  Attack  model 

We  assume  if  a  node  is  compromised,  the  node  can  per¬ 
form  random  attacks  [6]  with  an  attack  intensity  probabil¬ 
ity  ( Pa )  to  evade  detection.  Attack  intensity  is  modeled  by  a 
probability  parameter,  Pa,  specifying  the  frequency  of  trig¬ 
gering  attacks  by  an  attacker.  We  consider  the  following 
attacks  in  MANETs: 

•  Packet  dropping:  A  node  may  drop  a  packet  received 
due  to  the  nature  of  selfishness  (e.g.,  to  save  energy) 
or  maliciousness  (e.g.,  to  interrupt  service  availability). 
This  is  detected  by  overhearing  to  see  if  a  packet 
sent  to  a  neighbor  for  forwarding  is  actually  being 
forwarded.  It  is  not  possible  to  tell  if  packet  dropping 
is  a  problem  of  competence  or  integrity.  Given  that 
there  are  many  attack  behaviors  that  can  be  detected 
by  our  protocol  design  to  attribute  to  integrity,  to  avoid 
double-count  we  simply  attribute  packet  dropping  to 
competence.  If  a  node  drops  packets  and  the  behavior 
is  observed  by  a  neighbor,  this  neighbor  will  decrease 
the  misbehaving  node’s  direct  competence  trust.  Fur¬ 
thermore,  this  neighbor  when  acting  as  a  recommender 
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will  propagate  a  negative  recommendation  to  other 
nodes  as  indirect  evidence  against  the  misbehaving 
node.  See  Section  3.2.3  for  the  detail  of  peer-to-peer 
trust  estimation  based  on  the  aggregation  of  both 
direct  and  indirect  evidence. 

Private  key  compromise:  A  node’s  private  key  compro¬ 
mise  can  occur  in  the  two  ways:  (1)  when  the  node 
itself  is  compromised  and  passes  its  private  key  to 
other  compromised  nodes  or  outside  attackers  to  leak 
confidential  information  out;  and  (2)  when  a  public 
key  certifier  (called  a  neighborhood  trustworthy  cer¬ 
tifier,  denoted  as  NTC,  to  be  defined  in  Section  3.3.1) 
is  compromised  and  leak  out  a  private/public  key  pair 
of  the  victim  node  to  outside  attackers.  The  outside 
attackers  can  impersonate  the  victim  and  obtain  access 
to  confidential  information  that  should  be  shared 
only  by  group  members.  This  attack  can  be  detected 
based  on  majority  voting  in  our  protocol  design  (see 
Section  3.3.3).  When  a  private  key  compromise  attack 
is  detected,  the  public/private  key  pairs  of  the  victim 
or  compromised  node  will  be  denounced.  If  an  at¬ 
tacker  continues  to  use  the  denounced  public/private 
key  pairs,  it  will  be  detected  and  the  detection  will 
attribute  to  lowering  the  attacker’s  trust  in  integrity. 
Using  the  trust  threshold,  a  node  will  decide  whether 
to  believe  the  received  public  key  is  valid,  correct, 
and/or  compromised  based  on  the  perceived  trust  of 
the  source  sending  the  compromised  public  key. 
Message  modification/forgery:  A  node  may  modify/forge 
a  message  received,  hindering  effective  communication, 
and/or  accurate  trust  assessment.  This  attack  occurs 
when  the  attacker  possesses  the  private  key  of  the  re¬ 
ceiver  due  to  private  key  compromise.  However,  when 
the  corresponding  private  key  compromise  attack  is  de¬ 
tected  (explained  above),  the  public/private  key  pairs 
of  the  sender  will  be  denounced.  If  an  attacker  con¬ 
tinues  to  use  the  private  key  to  do  message  modifica¬ 
tion/forgery  attack,  it  will  be  detected  and  the  detection 
will  attribute  to  lowering  trust  in  integrity. 

Fake  identity/impersonation:  A  node  may  use  a  fake 
identity  or  multiple  identities  (i.e„  Sybil  attack)  to 
break  information  confidentiality  in  communications 
between  two  entities.  In  particular,  a  node  can  imper¬ 
sonate  as  a  victim  node  whose  private  key  is  compro¬ 
mised  by  distributing  the  public  key  and  the  certificate 
of  the  victim  node  to  its  neighbors  in  order  to  attract 
the  victim  node’s  packets  to  it.  However,  when  the  cor¬ 
responding  private  key  compromise  attack  is  detected 
(explained  above),  the  public/private  key  pairs  of  the 
victim  node  will  be  denounced.  If  an  attacker  contin¬ 
ues  to  use  the  private/public  key  pairs  to  do  fake  iden¬ 
tity  attack,  it  will  be  detected  and  the  detection  will  at¬ 
tribute  to  lowering  trust  in  integrity. 

Fake  recommendation  dissemination:  A  node  may  give  a 
bad  recommendation  for  a  good  node  while  giving  a 
good  recommendation  for  a  bad  node  in  order  to  de¬ 
ter  accurate  trust  evaluation/decision  making.  In  our 
trust  metric,  recommendations  are  used  as  indirect  ev¬ 
idence  which  may  be  delivered  through  multiple  hops 
in  MANETs.  The  correctness  of  the  recommendations  is 
ensured  by  unanimous  agreement  of  the  intermediate 
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nodes  based  on  their  opinions  towards  the  previous  for¬ 
warding  node  (i.e.,  whether  the  node  is  lying  or  not)  in 
the  route  in  which  the  opinions  are  tagged  in  the  main 
message  delivered.  The  receiver  can  detect  fake  infor¬ 
mation  dissemination  attack  by  checking  if  there  is  a 
negative  opinion  for  an  intermediate  node  on  the  path. 
If  yes,  this  detection  will  attribute  to  low  trust  in  in¬ 
tegrity  (see  Section  3.2.3  for  more  details). 

•  Denial-of-service  (DoS):  A  malicious  node  can  generate 
unnecessary  traffic  to  interrupt  service  provision  in  the 
system.  We  considered  the  DoS  attack  within  the  key 
management  framework.  Specifically,  a  malicious  node 
can  keep  requesting  public  keys  of  other  nodes  even  if 
it  already  has  their  valid  public  keys.  Since  only  trust¬ 
worthy  nodes  based  on  the  trust  threshold  criterion  are 
able  to  issue,  distribute,  and  obtain  key  pairs,  this  DoS 
attack  can  consume  network  resources  to  increase  de¬ 
lay  of  system  operations,  and  reduce  service  availability. 
This  attack  is  countermeasured  by  using  a  trust  thresh¬ 
old  for  intermediate  nodes  to  ignore  public  key  requests 
generated  from  a  node  whose  trust  level  is  below  the 
threshold,  thus  effectively  throttling  DoS  attacks. 

•  Whitewashing:  A  malicious  node  may  leave  a  network 
and  come  back  later  with  a  new  reputation.  In  our  trust 
management  protocol,  all  new  nodes  joining  a  network 
will  start  with  a  trust  value  of  ignorance  (i.e.,  0.5), 
when  other  nodes  assess  their  trust  upon  join.  For  a 
new  node  joining  the  network,  it  is  allowed  to  interact 
with  other  nodes  to  accrue  reputation  from  other  nodes 
with  a  given  warming-up  period.  If  after  this  period, 
the  new  node  does  not  reach  the  trust  threshold,  it  will 
be  isolated  from  group  activities  and  cannot  obtain  a 
valid  key  pair.  Once  a  new  node  accrues  its  reputation 
over  time  through  interactions  with  other  nodes  or  ob¬ 
servations  by  direct  neighbors,  the  increased  trust  en¬ 
ables  the  new  node  to  participate  in  key  management 
operations. 

We  summarize  how  each  attack  is  detected  and  coun¬ 
termeasured  by  the  design  features  of  CTPKM  in  Table  1. 
Table  2  summarizes  the  attack  behaviors  during  the  oper¬ 
ation  of  our  key  management  protocol. 

3.2.  Trust  model 
3.2.1.  Dimensions  of  trust 

We  consider  three  trust  components  to  capture  the 
unique  aspects  of  trust  in  a  MANET  with  communication, 
information  and  social  networking: 

•  Competence  (C)  refers  to  an  entity’s  capability  to  serve 
requests  in  terms  of  a  node’s  cooperativeness  and  avail¬ 
ability.  Availability  may  be  affected  by  network  condi¬ 
tions  such  as  link  failure,  energy  depletion,  and  volun¬ 
tary  or  involuntary  disconnection  (i.e.,  leaving  the  net¬ 
work).  This  is  measured  by  the  ratio  of  the  number  of 
positive  experiences  to  the  total  experiences  in  packet 
forwarding. 

•  Integrity  (I)  is  the  honesty  of  an  entity  in  terms  of  at¬ 
tack  behaviors  discussed  in  Section  3.1  except  packet 
dropping  behavior.  This  is  measured  by  the  number  of 
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Table  1 

Attack  behavior,  detection,  and  countermeasures. 

-xxx 

Attack  behavior 

Detection 

Countermeasure 

Packet  dropping 

Overhearing  by  a  monitoring  mechanism 
pre-installed  in  each  node 

Lowering  direct  trust  in  competence  by 
neighboring  nodes  (direct  evidence);  propagation 
of  low  competence  to  other  nodes  via 
recommendations  (indirect  evidence) 

Private  key  compromise 

Majority  voting  by  neighboring  nodes  who  detect 
the  private  key  compromise  based  on  the 
attacker’s  integrity 

Lowering  the  attacker’s  integrity  by  neighboring 
nodes 

Message  modification/forgery 

Majority  voting  by  neighboring  nodes  who  detect 
the  private  key  compromise  based  on  the 
attacker’s  integrity 

Lowering  the  attacker’s  integrity;  propagation  of 
the  low  integrity  via  recommendations 

Fake  identity/impersonation 

Checking  the  integrity  of  both  the  owner  and 
issuer  (i.e.,  NTC)  of  the  private/public  keys  based 
on  trust  threshold,  Tth 

Lowering  the  culprit’s  integrity;  propagation  of  the 
low  integrity  via  recommendations 

Fake  recommendation 

A  recommendation  packet  delivered  that  does  not 

The  recommendation  is  discarded;  lowering  the 

dissemination 

have  unanimous  agreement  of  positive  opinions 
by  all  intermediate  nodes  on  the  path 

attacker’s  integrity;  propagation  of  the  low 
integrity  via  recommendations 

Denial-of-service 

Receiving  a  large  amount  of  the  same  requests 
from  a  node  whose  integrity  trust  is  below  Tth 

Lowering  the  attacker’s  integrity  by  neighboring 
nodes;  propagation  of  the  low  integrity  via 
recommendations 

Whitewashing 

After  a  warming-up  period  allowing  a  new  joining 
node  started  with  ignorance  trust  (0.5)  to 
interact  with  other  nodes,  the  node’s  trust  does 
not  reach  Tth 

The  new  joining  attacker  with  trust  less  than  T[h 
cannot  have  a  valid  pair  of  its  own  private/public 
key 

Table  2 

Attack  behavior  for  operations. 


Operation 

Attack  behavior 

Trust  assessment 

Fake  information  dissemination, 

Key  issuance  by  a 

message  modification,  packet 
dropping 

Private  key  compromise 

malicious  key 
generator 

Public  key  distribution 

Compromised  public  key  distribution, 

Public  key  request 

fake  identity 

Packet  dropping,  message  modification, 

delegation 

identity  impersonation 

Forwarding  a  requested 

Message  modification/forgery  by 

public  key 

forwarding  a  fake  public  key 

Network  join 

Whitewashing 

positive  experiences  over  the  total  experiences  related 
to  protocol  compliance. 

•  Social  contact  (SC)  is  defined  based  on  a  node’s  inher¬ 
ent  sociability  derived  from  the  trust  profile  available 
a  priori  as  well  as  dynamic  social  behavior  measured 
by  the  number  of  nodes  that  a  node  encounters  dur¬ 
ing  a  trust  update  interval  Tu  over  the  total  number  of 
nodes  in  the  network.  If  an  entity  has  high  SC,  it  is 
more  likely  to  disseminate  information  quickly  to  the 
network,  compared  to  the  ones  with  low  SC.  An  entity’s 
mobility  pattern  will  affect  this  trust  component. 

In  this  work,  trust  is  used  for  making  decisions,  includ¬ 
ing  obtaining  a  certificate  of  a  public  key,  distributing  a 
public  key,  requesting  a  public  key  of  a  target  node,  and 
providing  a  public  key  requested.  The  reasons  we  pick 
the  above  three  trust  components  are  (1)  with  competence 
trust,  we  assure  fast  propagation  of  public  keys;  (2)  with 
integrity  trust,  we  increase  the  probability  that  public 
keys  propagated  are  valid/correct  with  the  corresponding 


private  key  uncompromised;  and  (3)  with  social  contact 
trust,  we  increase  the  probability  of  finding  a  valid  public 
key  from  nodes  having  good  social  networking. 

Henceforth,  we  denote  the  trust  values  of  node  i  to¬ 
wards  node  j  in  trust  component  X’s  (=  competence,  in¬ 
tegrity,  and  social  contact)  at  time  t  by  the  notations  of 
Tfj(t),Tlj(t),  and  T^(t).  We  follow  the  trust  computation 
model  in  our  prior  work  [10]  to  assess  T?j(t)  at  time  t. 

3.2.2.  Objective  trust 

We  assume  that  a  node’s  trust  profile  is  available,  de¬ 
scribing  its  inherent  behavior  patterns  that  can  be  scaled 
in  [0,  1].  In  this  work,  we  generate  a  node’s  initial  average 
trust  value,  called  its  trust  seed,  from  U(GB,  1),  where  U 
is  a  random  real  number  generator  function  based  on  uni¬ 
form  distribution  with  the  lower  and  upper  bounds  as  in¬ 
put  and  GB  is  the  lower  bound  for  good  behavior.  There  is 
a  separate  trust  seed  for  each  trust  component  X,  where 
X  =  C,  I  or  SC  for  competence,  integrity,  or  social  con¬ 
tact  respectively.  Let  Sf  denote  the  trust  seed  drawn  from 
U(GB,  1)  for  trust  component  X  of  node  i.  Let  Ff(t)  be  the 
actual  trust  seed  drawn  from  U(Sf  -  Pd,  Sf  +  Pd)  at  time  t 
with  Sf  being  the  mean  and  Pd  being  the  standard  devi¬ 
ation  of  a  node’s  average  behavior  from  its  actual  behav¬ 
ior  to  account  for  behavior  variation  as  a  function  of  time. 
Then, 

lf(t)  =  mm[U(Sf-Pd,Sf  +  Pd)A]  (1) 

Sf  =  U(CB.  1 )  for  X  =  C,  /  or  SC  (2) 

Let  T/(t)  denote  the  “ground  truth"  objective  trust  of  node 
i  at  time  t.  For  X  =  C  (for  competence),  we  have  to  ac¬ 
count  for  node  availability.  Hence,  Tc(t)  is  calculated  by 
the  product  of  Pf-  (t)  with  Pr,  where  Pr  is  the  link  reliability 
considered  for  competence  trust  at  time  t,  as  follows: 

7jC(t)  =  Ff(t)Pr  (3) 
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For  X  =  1  (for  integrity),  Tf(t)  =  P!(t )  if  node  i  is  not  com¬ 
promised  at  time  t.  If  node  i  is  compromised  at  time  t, 
T/(t)  depends  on  how  often  node  i  preforms  attacks.  We 
assume  that  a  compromised  node  will  perform  random  at¬ 
tacks  (on-off  attacks)  with  probability  Pa  (attack  intensity) 
to  evade  detection.  If  the  compromised  node  does  not  per¬ 
form  attack  at  time  t,  its  integrity  trust  Tf(t)  is  equal  to 
P/(t)  because  it  is  not  detectable.  If  the  compromised  node 
performs  attack  at  time  t,  its  integrity  trust  Tf(t)  is  decre¬ 
mented  by  Pa  from  the  past  trust  value  Tf(t—  At)  with  a 
lower  bound  of  zero.  Note  that  in  CTPKM,  we  notate  At 
with  a  trust  update  interval,  Tu.  Summarizing  above,  for  a 
compromised  node,  7V(t)  is  given  by: 

Pl(t)  if  node  i  C 

,  (4) 

max[7j'(t  -  At)  -  Pa,  0]  if  node  i  e  C 

Here  C  is  the  set  of  malicious  nodes  performing  attack  at 
time  t  and  At  is  the  periodic  trust  update  interval  Tu.  In 
our  experiment,  we  set  the  percentage  of  nodes  to  be  com¬ 
promised  at  t  =  0  based  on  Pc  to  test  the  resiliency  of  our 
protocol  against  increasing  malicious  node  population. 

Lastly  when  X  =  SC  (for  social  contact),  we  have  to  ac¬ 
count  for  node  dynamic  social  behavior,  so  Tisc(t)  is  given 
by  the  product  of  P?c(t)  with  pN?(t).  where  N?(t)  is  the 
number  of  encounters  to  node  i  as  1-hop  neighbors  during 
the  previous  Tu,  and  p  is  ,  as  follows: 

7fc(t)  =  pJf(t)JVf(t).  (5) 


already  examined  in  [10].  The  correctness  of  the  recom¬ 
mendations  is  ensured  by  referring  to  direct  opinions  of  re¬ 
ferral  recommenders  (forwarding  the  original  recommen¬ 
dation)  attached  to  the  original  message  with  any  detec¬ 
tion  error  of  the  intermediate  nodes  forwarding  the  rec¬ 
ommendation  [10]. 

In  (6),  a  and  1  -  a  are  the  weights  for  direct  and  indi¬ 
rect  evidence  respectively  where  a  is  set  between  0  and 
1.  We  observe  that  when  the  weight  (a)  for  direct  evi¬ 
dence  is  low,  high  trust  accuracy  is  observed,  or  vice-versa. 
This  is  because  only  correct  recommendations  based  on 
unanimous  agreement  by  all  intermediate  nodes  passing 
the  recommendation  are  used  as  indirect  evidence  while 
new  direct  evidence  cannot  be  collected  easily  due  to  node 
mobility.  When  no  correct  recommendations  are  received 
from  recommenders  k's  located  within  TC  hops  from  node 
i  and  this  is  detected  by  node  i  based  on  the  direct  opin¬ 
ions  of  intermediate  nodes  attached  to  the  recommenda¬ 
tion,  trust  decays  with  a  decay  factor  y  over  At,  the  peri¬ 
odic  trust  update  interval  Tu.  However,  due  to  the  collusion 
of  compromised  nodes,  detection  errors  can  be  introduced 
and  false  recommendations  may  be  considered.  In  the  trust 
metric  used  in  this  work,  the  false  detection  can  be  mini¬ 
mized  by  requiring  the  unanimous  agreement  of  all  inter¬ 
mediate  nodes  about  the  correctness  of  the  recommenda¬ 
tion  delivered. 

The  direct  trust  (based  on  direct  observations)  of  node 
j  evaluated  by  node  i  on  trust  component  X  at  time  t, 
7£-x(D,  is  computed  as: 


3.2.3.  Subjective  trust 

Node  j’s  trust  values  for  component  X’s  evaluated  by 
node  i  is  computed  based  on  the  aggregation  of  both  direct 
and  indirect  evidences.  Trust  of  node  j  (trustee:  trusted 
party)  evaluated  by  node  i  (trustor:  trusting  party)  in  trust 
component  X  is: 

if  (\Rj |  >0)  a  (HD(i,k)>TC)  (6) 

Tx(t)  =  aTPrx(t)  +  (1  -  a)T^~x(ty, 
else  Txj(t)  =  yTXj(t-  At): 


J P°-X(t)  if  HD(i,  j)  == 
\yTXj(t  -  At)  otherwise 


When  nodes  i  and  j  encounter  as  1-hop  neighbors  (i.e., 
HD(i.j)  ==  1)  during  the  time  period  (t  -  At),  node  i  can 
collect  direct  evidence  based  on  its  own  observations  or 
experiences  PPrx(t).  When  nodes  i  and  j  are  distant  with 
more  than  1  hop  distances,  node  i  relies  on  its  past  experi¬ 
ence  to  assess  the  direct  trust  of  node  j.  PPrx  (t)  for  X  =  C 
or  I  is  computed  based  on  the  positive  experience  over  the 
negative  experience  associated  with  X  as: 


TP  x(t)  is  direct  trust  based  on  direct  observations  and 
T/°~x(t)  is  indirect  trust  based  on  recommendations  from 
1-hop  neighbors  of  node  j.  Rj  is  a  set  of  recommendations 
correctly  received  from  node  j’s  1-hop  neighbors.  The  avail¬ 
ability  of  recommendations  (|R([  >  0)  is  affected  by  the  re¬ 
ceipt  of  the  correct  recommendations  that  are  affected  by 
packet  dropping  behaviors  and  integrity  (i.e.,  attack  behav¬ 
iors)  of  a  node.  HD(i,  k )  is  the  number  of  hop  distances 
between  nodes  i  and  k  where  node  i  is  a  requestor  (the 
trustor)  and  node  k  is  a  1-hop  neighbor  and  recommender 
of  node  j  (the  trustee). 

In  order  for  the  new  indirect  evidence  to  be  used  for 
trust  update,  recommender  node  k  for  node  j  should  exist 
within  TC  hops  from  node  i  and  the  correct  recommenda¬ 
tion  should  arrive  safely  at  node  i  where  TC  is  the  max¬ 
imum  number  of  hop  distances,  called  a  trust  chain,  al¬ 
lowed  to  collect  recommendations  from  1-hop  neighbors 
of  node  j.  We  will  use  the  optimal  TC  identified  in  this 
work,  but  do  not  investigate  this  in  detail  because  this  is 


pD-X 

U 


(t) 


r 

r+s 


if  r  +  s  >  0 


0  otherwise 


(8) 


where  r  is  the  number  of  positive  experiences  and  s  is  the 
number  of  negative  experiences. 


pD-SC 

i.j 


(t) 


pPjC(t)Nj 

0  otherwise 


(9) 


PjC(t)  is  given  from  the  available  trust  profile  and  N?  and 
p  are  explained  in  (5);  N?  can  be  directly  observed  by 
1-hop  neighbors  of  node  j.  Note  that  1-hop  neighbors  of 
node  j  are  to  forward  recommendations  to  node  i. 

The  indirect  trust  of  node  j  evaluated  by  node  i  on  trust 
component  X  at  time  t,  T!P~x(t).  is  obtained  by: 


•p/D-X 

i.j 


(0 


^#^if  \Rj\  >  0 

yTXj(t  -  At)  otherwise 


(10) 
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When  node  i  receives  correct  recommendations  with  |Rj| 
>  0,  node  i  uses  the  average  of  the  recommendations  to 
derive  the  overall  indirect  trust.  If  R,  is  an  empty  set, 
node  i  will  use  its  past  experience  7/x.(t-Af),  with  de¬ 
cay  weighted  by  y,  due  to  no  correct  recommendations  re¬ 
ceived. 

In  this  work,  we  use  a  trust  threshold,  Tth.  for  a  node  to 
make  a  routing  decision  with  the  goal  of  safe  delivery  of  a 
message  without  being  modified  by  untrustworthy  nodes 
on  a  path  the  message  travels  [8].  This  mechanism  is  ap¬ 
plied  when  a  recommendation  is  delivered  from  recom- 
menders  for  a  trustee  to  a  trustor. 

3.3.  Composite  trust-based  public  key  management 

In  this  section,  we  discuss  the  core  operations  of 
CTPKM  as  illustrated  by  Fig.  1.  Each  mobile  entity  is  able  to 
communicate  with  other  entities  using  public/private  key 
pairs  obtained  through  CTPKM.  Given  a  trust  threshold  Tth, 
a  node  will  assume  a  certain  amount  of  risk  to  communi¬ 
cate  with  another  node  whose  trust  level  is  no  less  than 

Tth- 


3.3.1  Key  generation 

In  CTPKM,  each  node  generates  its  own  public/private 
key  pairs  periodically  but  the  key  pair  should  be  certi¬ 
fied  by  a  trusted  third  party  which  generates  the  certifi¬ 
cate  of  the  public  key.  Since  CTPKM  does  not  assume  the 
existence  of  a  trusted  third  party,  each  node  needs  to  find 
the  most  trustworthy  third  party  node  among  its  1-hop 
neighbors,  called  neighborhood  trustworthy  certifier  (NTC) 
which  can  certify  the  self-issued  private/public  keys.  The 
reason  a  node  chooses  NTC  among  its  1-hop  neighbors 
is  due  to  resource  constraint  and  security  vulnerability  in 
MANETs  which  do  not  allow  trusted  third  parties.  This  cer¬ 
tification  process  mitigates  a  compromised  node  to  obtain 
its  public/private  key  because  NTC  issues  the  certificate 
only  when  the  requesting  node  is  evaluated  as  trustwor¬ 
thy  based  on  whether  NTC’s  trust  in  the  requesting  node  is 
no  less  than  a  given  trust  threshold.  Now  we  discuss  how 
NTC  issues  a  certificate  to  a  node  requesting  the  certificate 
of  its  public/private  key  pair. 

3.3.2.  Public  key  certificate  issuance 

Each  node  i  asks  NTC  m,  a  node  having  the  highest  trust 
value  among  i’s  1-hop  neighbors,  to  certify  the  public  key 
it  generates.  The  minimum  condition  to  be  an  NTC  is  that 
the  NTC  must  have  at  least  a  trust  value  no  less  than  the 
given  trust  threshold  ( T[h )  for  integrity  trust  (i.e.,  Tj  (t )  > 
Tth)-  Thus,  if  i  cannot  find  any  1-hop  neighbors  who  have 
a  trust  value  no  less  than  Tth .  it  cannot  obtain  a  valid  key 
pair. 

After  an  NTC,  m,  receives  i’s  request  for  the  certification 
of  i’s  key  pair,  it  decides  whether  to  issue  the  public  key 
certificate  based  on  i’s  trustworthiness,  in  integrity  trust 
using  Tth  (i.e.,  (t)  >  Tth).  That  is,  there  should  be  a 

mutual  trust  relationship  between  a  certificate  requestor 
and  an  issuer  in  integrity  trust.  The  requesting  node  i  will 
not  be  able  to  obtain  the  certificate  of  its  public  key  if  its 
integrity  trust  level  is  below  Tth-  Recall  that  trust  values 
are  dynamically  changing  over  time.  The  trust  threshold 


Tth  affects  the  protocol  performance  as  follows.  If  a  low 
Tth  is  used,  even  a  relatively  untrustworthy  node  can 
issue  and  certify  the  public  key  to  others.  As  a  result,  a 
malicious  NTC  can  disseminate  many  fake  public  keys  so 
as  to  generate  unnecessary  communication,  resulting  in  a 
waste  of  network  resources.  Besides,  a  malicious  NTC  who 
generates  the  private  key  can  perform  private  key  com¬ 
promise  attacks  and  intercept  information  which  is  sent  to 
the  originally  intended  recipient.  If  either  the  NTC  or  the 
victim  node  of  the  public  key  is  compromised,  then  the 
compromised  NTC  or  the  victim  node  can  leak  the  private 
key  to  other  attackers  as  well.  Hence,  using  an  optimal 
trust  threshold  for  all  decisions  associated  with  key  man¬ 
agement  is  critical  to  mitigating  the  security  vulnerability. 

NTC  also  issues  an  expiration  time  of  the  new  key  pair 
where  the  expiration  time-stamp  is  part  of  the  certificate. 
A  node  updates  its  public/private  key  pair  when  the  expi¬ 
ration  time  is  reached  or  when  its  private  key  is  detected 
as  compromised.  Intuitively,  the  longer  the  expiration  time 
the  lower  the  security,  revealing  high  security  vulnerabil¬ 
ity.  However,  the  longer  expiration  time  allows  lower  com¬ 
munication  cost.  We  assume  a  fixed  expiration  time  for  all 
nodes’  certified  key  pairs  in  this  work. 


3.3.3.  Public  key  distribution 

After  a  node  obtains  its  public  key  certificate,  the  node 
disseminates  the  public  key  along  with  the  certificate  to 
a  subset  of  its  1-hop  neighbors  whose  trust  values  are  no 
less  than  Tt/,  for  all  three  trust  components.  That  is,  node 
i  will  disseminate  its  public  key  packet  to  a  neighbor  m 
which  should  meet  the  following  conditions: 

T*m(0>  Tth  (11) 


where  7/xm(t),  with  X  =  C,  I  or  SC,  is  a  measured  trust  of 
node  m  evaluated  by  node  i  for  competence,  integrity,  or 
social  contact  trust,  respectively.  Node  i  also  periodically 
disseminates  its  public  key  to  its  current  1-hop  neighbors 
who  satisfy  the  above  conditions. 

Since  nodes  are  mobile,  if  a  node  has  a  high  mobility 
rate,  it  may  have  more  chances  to  obtain  public  keys  of 
other  nodes  (being  affected  by  the  degree  of  social  contact 
trust),  and  vice-versa.  Selecting  the  right  set  of  neighbor¬ 
ing  nodes  is  critical  to  revealing  less  security  vulnerabil¬ 
ity  while  obtaining  uncompromised  public  keys.  When  a 
public  key  is  distributed  to  a  compromised  node,  the  com¬ 
promised  node  may  perform  a  data  forgery  or  modification 
attack  by  forwarding  a  fake  pubic  key. 

When  node  i  disseminates  its  public  key  and  the  certifi¬ 
cate  to  a  subset  of  1-hop  neighbors  based  on  (11)  (called 
“trustworthy  1-hop  neighbors”  hereafter),  the  packet  con¬ 
sists  of  the  following  items: 


Kcpub] 


(12) 


C™  '  is  the  certificate  of  node  i’s  public  key  signed  by  the 

'S’,  pub 

NTC’s  digital  signature  including  the  information  on  the 
node  ID  (node  i),  the  NTC’s  ID,  and  expiration  time  for 
the  valid  period  of  the  public  key.  Note  that  the  notation 
NTC,  is  the  NTC  who  issues  the  certificate  of  node  i’s  pub¬ 
lic  key  and  /<j  pub  is  node  i’s  public  key.  The  receiving  node 
will  check  the  trustworthiness  of  the  NTC  in  integrity  trust 
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(a)  Key  issuance  and  distribution 


(b)  Key  request 


Fig.  1.  Distributed  key  management  process  in  CTPKM. 


749  with  Tth  to  ensure  the  authenticity  of  /(,  pub.  If  the  NTC  is 

750  compromised,  it  can  perform  a  private  key  compromise  at- 

751  tack  by  leaking  the  private  key  generated  to  other  mali- 

752  cious  nodes.  Integrity  trust  check  of  the  NTC  minimizes  the 


chance  of  this  attack.  Node  i  distributes  this  information  to  753 
its  selected  1-hop  neighbors  in  the  clear,  in  as  specified  in  754 
(12),  because  node  i  may  not  know  the  public  keys  of  its  755 
neighbors  upon  entry.  This  may  reveal  the  vulnerability  to  756 
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message  forgery  attacks  by  which  a  malicious  node  may 
intercept  the  information  and  send  a  fake  key  and  certifi¬ 
cate  to  the  intended  receivers.  To  minimize  this  vulnera¬ 
bility,  our  protocol  design  ensures  the  authenticity  of  the 
disseminated  public  key  and  certificate  via  the  agreement 
of  the  receivers  towards  the  opinions  of  the  authenticity  of 
the  key  pair  based  on  a  majority  voting  mechanism  (i.e.,  if 
the  majority  of  voters  agree,  then  the  public  key  and  cer¬ 
tificate  are  considered  authentic).  Unless  more  than  a  ma¬ 
jority  of  the  receivers  are  compromised,  this  ensures  the 
authenticity  of  the  received  key  and  certificate.  We  con¬ 
sider  the  extra  communication  overhead  caused  by  this  au¬ 
thenticity  check  in  our  performance  metric. 

Some  nodes  may  not  have  the  public  key  of  a  particu¬ 
lar  node  it  wants  to  communicate  with  because  it  has  not 
encountered  the  node  as  a  1-hop  neighbor.  In  this  case, 
a  node  can  request  the  target  node’s  public  key  from  its 
trustworthy  1-hop  neighbors  based  on  (11).  If  any  of  the 
trustworthy  1-hop  neighbors  (m)  has  the  public  key  of  the 
target  node  (TN),  then  it  will  provide  the  public  key  to 
node  i.  Whether  or  not  to  provide  the  public  key  of  the  TN 
depends  on  m’s  assessment  toward  node  i  (requestor)  in 
integrity  trust  (i.e.,  T^  f(t)  >  Ttb).  If  node  m  decides  to  pro¬ 
vide  the  public  key  of  TN,  the  returning  message  includes 
the  following  items: 


kntctn 

1  K TN.pub 


•  K TN.pub  ■  IDm  ]k4 


(13) 


Node  m  returns  the  public  key  of  the  TN,  I(TN:  pub,  the 
TN’s  public  key  certificate  C^TC™  ,  and  its  ID  (IDm).  The 

K™,pub 

message  is  encrypted  by  Kb  pub,  the  public  key  of  node  i. 
When  the  requestor  receives  this  message,  it  will  save  the 
public  key  of  TN  if  m  satisfies  (11). 

If  m  does  not  have  the  public  key  of  the  TN,  it  will  for¬ 
ward  the  request  message  to  its  trustworthy  1-hop  neigh¬ 
bors  (mn s)  that  meet  (11).  The  delegated  request  message 
has  the  following  format: 


lCNK^b,Ki,pub,IDTN]Km,f 


(14) 


Cl.  ‘  is  the  public  key  certificate  of  node  i,  certified 

l'i,pub 

by  the  NTC  of  node  i,  NTCt.  1DTN  is  the  ID  of  the  TN,  and 
pub  is  the  public  key  of  node  m'  who  is  a  trustworthy 
1-hop  neighbor  of  m.  Node  m '  receiving  the  delegated  re¬ 
quest  message  from  m  decrypts  the  message  with  its  pri¬ 
vate  key,  checks  if  it  has  the  public  key  of  the  TN,  and 
checks  if  the  requestor,  node  i,  passes  the  integrity  test 
(i.e„  P,  . (t)  >  Tth).  If  yes,  then  it  sends  the  public  key  of 
TN  to  the  original  requestor  (node  i)  by  a  returning  mes¬ 
sage  following  the  format  specified  in  (13). 

If  an  intermediate  node  forwarding  the  request  message 
is  uncooperative,  the  request  message  can  be  dropped; 
therefore,  many  nodes  may  not  have  valid  public  keys.  A 
malicious  1-hop  neighbor  may  even  provide  incorrect  pub¬ 
lic  keys.  Therefore,  the  trust  threshold  ( Tth )  affects  how 
many  valid,  correct  and  uncompromised  public  keys  a 
node  can  use.  In  our  proposed  CTPKM,  we  show  there  ex¬ 
ists  an  optimal  Ttb  under  which  a  sufficient  number  of 
valid,  correct  and  uncompromised  public  keys  are  gen¬ 
erated  while  reducing  communication  overhead  (not  for¬ 
warding  the  public  key  requests  to  untrustworthy  nodes) 


and  mitigating  security  vulnerability  (reducing  the  use  of 
a  compromised  public  key).  In  CTPKM,  when  a  trustwor¬ 
thy  intermediate  node  that  meets  (11)  has  a  valid  public 
key  of  the  TN,  it  can  provide  the  public  key  of  the  TN  to 
the  requestor.  This  reduces  communication  overhead  sig¬ 
nificantly  in  key  distribution. 

Key  revocation  and  update:  The  private/public  keys  of 
a  node  will  be  revoked  after  the  valid  period  expires.  Since 
the  certificate  includes  the  information  on  expiration  time, 
key  revocation  due  to  time  expiration  will  be  implicitly 
known  to  other  nodes  in  the  network.  Before  the  valid  pe¬ 
riod  is  past,  a  node’s  1-hop  neighbors  can  serve  as  veri¬ 
fiers  and  apply  majority  voting  to  detect  if  the  node’s  pri¬ 
vate  key  is  compromised.  If  a  verifier  had  once  interacted 
with  another  node  claiming  it  to  be  the  target  node,  then 
the  verifier  suspects  the  target  node’s  private  key  has  been 
compromised,  and  will  vote  against  it.  If  the  private  key 
is  deemed  compromised  (when  the  majority  of  the  neigh¬ 
bors  vote  against  it),  the  node,  being  as  the  owner  of  the 
private  key,  must  notify  the  key  compromise  event  to  all 
nodes  in  the  network.  We  consider  the  extra  communica¬ 
tion  overhead  caused  by  this  key  revocation  procedure  in 
our  performance  metric.  If  the  owner  of  the  key  itself  is 
compromised  and  does  not  disseminate  the  key  compro¬ 
mise  message,  its  neighbors  will  decrease  the  trust  value 
of  the  node  to  hinder  the  node  from  reissuing  a  new  pub¬ 
lic/private  key  pair.  In  CTPKM,  if  a  node  does  not  main¬ 
tain  a  certain  level  of  trust,  it  cannot  obtain  the  certificate 
of  its  public  key.  Therefore,  there  is  a  very  low  chance  for 
an  untrustworthy  node  to  issue  its  public  key  with  a  valid 
certificate. 

3.4.  Metrics 

To  examine  the  impact  of  attack  intensity  and  ratio  of 
attackers  on  trust  accuracy,  we  define  the  following  metric: 

•  Trust  bias  ( Bx )  refers  to  the  difference  (absolute  value) 
between  ground  truth  trust  values  and  estimated  trust 
values  in  trust  property  X.  In  this  paper,  we  apply  the 
optimal  trust  chain  length  (TC)  protocol  design  [10]  ex¬ 
plained  in  Section  3.2  to  minimize  the  trust  bias.  Given 
the  optimal  TC,  the  trust  bias  of  node  j  evaluated  by 
node  i  is  measured  by: 

Bx  =  \Tx(t)-Txj(t)\  (15) 

7jx(t)  indicates  the  ground  truth  trust  value  of  node  i 
in  trust  component  X,  as  explained  in  Section  3.2.2.  The 
measured  trust  of  node  i  evaluated  by  node  j,  71x.(t),  is 
computed  in  Equations  (6)-(10). 

CTPKM  is  built  on  top  of  the  optimal  TC  protocol  design 
and  is  measured  by  the  following  performance  metrics: 

•  Fraction  of  correct  public  keys  ((F)  refers  to  the  aver¬ 
age  number  of  valid,  correct  and  uncompromised  public 
keys  kept  in  each  node  over  the  total  number  of  mem¬ 
ber  nodes  in  the  network,  computed  by: 

r  Xa=0 

|M||M-1|LT  1  J 

where  Ktj(t)  =  1  if  node  i  has  the  valid,  correct  and  un¬ 
compromised  public  key  of  node  j;  0  otherwise.  M  is  a 
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set  of  legitimate  members  in  the  network.  The  entire 
mission  time  is  denoted  as  LT  (lifetime). 

Service  availability  (.4)  refers  to  the  ratio  of  the  aver¬ 
age  time  period  that  a  node’s  valid,  correct  and  uncom¬ 
promised  public  key  is  kept  by  other  nodes  over  the  en¬ 
tire  session  time,  calculated  by: 

.  _  EielW  j/i  A, j  .  . 

\M\\M-\\LT  1  J 

where  A, j  is  the  time  duration  node  i  has  the  valid, 
correct  and  uncompromised  public  key  of  node  j.  This 
metric  implies  how  much  time  each  node  keeps  an¬ 
other  node’s  valid,  correct  and  uncompromised  public 
key  during  the  entire  session  time. 

Information  risk  ('/?.)  indicates  the  average  number  of 
packet  transmissions  using  a  compromised  public  key 
during  the  entire  session,  LT  .  Consider  that  each  node 
sends  a  message  to  another  node  for  which  it  keeps  the 
public  key  in  every  group  communication  interval  (Tg). 
The  information  risk  exposed  by  sending  messages  us¬ 
ing  a  compromised  public  key  is  computed  by: 

mo  os) 

t=0  ieM  jeCJ^i 

where  R>  j(t)  =  1  if  node  i  keeps  a  compromised  pub¬ 
lic  key  of  node  j;  0  otherwise.  C  is  the  set  of  legiti¬ 
mate  members  whose  private  keys  are  compromised.  If 
a  node’s  private  key  is  detected  as  compromised,  the 
node  is  prohibited  from  group  communication  until  its 
key  is  re-issued. 

Communication  cost  (C)  counts  the  number  of  hop 
messages  per  time  unit  (i.e.,  second )  caused  by  CTPKM, 
computed  by: 

Q  _  IZt=0  C tOtal  (t) 

with 

Octal  (O  =  Qe(t)  +Qcm(t)  +Qc(0 
Cfcm(f)  =  Qi(t)  +  Qfd(t)  +  Qr(t) 

Cfe(t)  is  the  number  of  hop  messages  caused  by  trust 
evaluation  accounting  for  the  cost  for  each  node  to  pe¬ 
riodically  (in  every  Tu)  disseminate  the  trust  values  of 
its  1-hop  neighbors  to  nodes  located  within  the  trust 
chain  length  (TC)  [10].  Ckm(t)  is  the  number  of  hop  mes¬ 
sages  caused  by  key  management.  Cgc(t)  is  the  cost  for 
group  communication  by  all  member  nodes.  Ckm(t )  con¬ 
sists  of  three  cost  components:  key  issuance  (Q(j(t)),  key 
distribution  (Qid(t)),  and  key  revocation  (Q(r(t)).  Q(d(t) 
includes  the  cost  for  a  public  key  to  be  distributed 
to  trustworthy  1-hop  neighbors  and  requesting  nodes, 
and  the  cost  for  authenticating  the  public  key  by  1-hop 
neighbors. 

4.  Simulation  results 

This  section  shows  numerical  results  obtained  from 
simulation.  We  first  explain  the  experimental  setup  and 
schemes  to  be  compared  against  the  proposed  CTPKM. 
Then  we  conduct  a  comparative  performance  experiments 
and  demonstrate  numerical  results  with  analysis. 


4.1.  Experimental  setup 

Our  simulation  is  conducted  using  an  event  driven  sim¬ 
ulator  SMPL  [42],  Table  3  gives  the  set  of  parameters  and 
their  default  values  for  defining  the  simulation  environ¬ 
ment.  We  use  the  optimal  trust  chain  length  (i.e.,  TC  =  4) 
and  (a,  y)  =  (0.1, 0.95)  where  a  is  a  weight  for  direct  ev¬ 
idence,  1  -  a  is  a  weight  for  indirect  evidence,  and  y  is  a 
decay  factor.  This  setup  environment  is  used  for  maximiz¬ 
ing  trust  accuracy  (or  minimizing  trust  bias)  while  main¬ 
taining  acceptable  communication  overhead  due  to  trust 
assessment.  The  optimal  TC  and  (a,  y)  parameter  settings 
are  determined  following  our  prior  work  [10,43]  and  the 
detail  is  not  repeated  here. 

To  model  the  mobility  patterns  of  nodes  in  a  MANET, 
we  use  CRAWDAD  human  mobility  traces  collected  by 
KA1ST  [41  ]  with  N  =  92  nodes.  To  ensure  the  availability  of 
92  nodes’  mobility  data,  we  take  the  initial  4  h  of  mobility 
data  in  order  to  trace  available  locations  of  all  92  nodes. 
A  node  may  leave  or  join  the  network  with  the  interval  of 
1  //x  =  4  h  and  1  /X  =  1  h,  respectively.  Due  to  sparse  net¬ 
work  connectivity,  we  scale  down  the  operational  area  in 
order  for  nodes  to  have  a  sufficient  level  of  interactions 
based  on  the  radio  range  given  ( R  =  250  m). 

Initial  values  for  each  trust  component  are  seeded  with 
a  random  variable  selected  from  the  range  in  [GB,  1]  based 
on  uniform  distribution  where  GB  is  the  lower  bound.  The 
trust  values  are  also  affected  by  network  conditions  and 
link  reliability  (Pr)  in  competence  and  the  number  of  en¬ 
countered  entities  by  node  j  (Np  in  social  contact.  The  ini¬ 
tial  estimated  trust  value  at  time  t  =  0  is  set  to  0.5,  imply¬ 
ing  ignorance  (complete  uncertainty).  We  report  the  im¬ 
pact  of  key  design  parameters  on  the  four  metrics  defined 
in  Section  3.4.  We  vary  three  key  design  parameters  to  ex¬ 
amine  their  effects:  (1)  the  trust  threshold  (Ttjl);  (2)  the 
percentage  of  compromised  nodes  (Pc);  and  (3)  the  degree 
of  the  attack  intensity  (Pa).  In  order  to  model  attackers’  be¬ 
haviors  in  Section  3.1,  Pc  and  Pa  are  the  key  design  param¬ 
eters.  If  a  node  is  selected  as  compromised  based  on  Pc 
(i.e.,  Pc  fraction  of  nodes  is  compromised),  it  will  perform 
any  attacks  described  in  Section  3.1  with  the  probability 
Pfl.  The  scenarios  that  a  malicious  node  performs  attack  are 
explained  in  detail  in  Section  3.1. 

We  allow  a  30  min  warm-up  period  (Tw)  for  peer-to- 
peer  trust  evaluation  to  reach  a  sufficiently  accurate  level. 
We  use  a  5  min  trust  update  interval  (T„)  and  a  2  min 
group  communication  interval  ( Tg ).  For  group  communi¬ 
cations  among  legitimate  member  nodes,  each  node  sends 
out  a  packet  to  all  nodes  whose  public  keys  are  available 
to  it.  Each  data  point  shown  is  based  on  the  average  of  50 
observations  of  performance  data  collected  during  the  4  h 
of  simulation  time.  All  results  are  shown  with  95  %  confi¬ 
dence  interval  (Cl)  for  each  data  point. 

4.2.  Schemes  for  performance  comparison 

We  compare  CTPKM  with  a  baseline  scheme  and  two 
existing  schemes.  The  baseline  scheme  is  a  non-trust- 
based  key  management  which  follows  all  key  management 
procedures  in  CTPKM  except  for  trust  management.  The 
other  two  existing  schemes  are  selected  from  the  class  of 
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Table  3 

System  parameters  and  default  values. 

Parameters  Meaning  Value 


CB  Lower  bound  of  the  probability  that  a  node  behaves  well,  used  in  deriving  ground  truth  trust,  Pf  0.8 

a  A  weight  to  consider  direct  evidence  while  (1  -  a)  is  a  weight  to  consider  indirect  evidence  0.1 

y  A  trust  decay  factor  0.95 

Tth  Trust  threshold  used  in  the  operations  of  key  management  and  group  communication  0.3 

TC  Length  of  a  trust  chain  4 

P„  Probability  that  an  attacker  exhibits  malicious  behavior,  called  attack  intensity  0.5 

Tw  Warm  up  period  in  the  beginning  of  network  deployment  to  establish  initial  trust  30  min 

T„  Trust  update  interval  5  min 

p  A  constant  to  normalize  the  social  contact  trust  5 

LT  The  total  simulation  time  4  h 

Tg  Group  communication  time  interval  2  min 

Pr  Probability  that  a  link  is  reliable  for  transmission  0.99 

Pc  Percentage  of  compromised  nodes  in  a  network  20% 

R  Wireless  radio  range  250  m 

N  Total  number  of  nodes  in  a  network  92 

1/A  Average  time  interval  a  node  joins  a  network  1  h 

l//x  Average  time  interval  a  node  leaves  a  network  4  h 

Pd  Standard  deviation  of  a  node's  average  behavior  from  its  actual  behavior  accounting  for  behavior  variation  over  time  0.05 


certificate-based  public  key  management  [20,21],  discussed 
in  Section  2.1.  The  two  existing  key  management  protocols 
are  selected  for  performance  comparison  against  CTPKM 
for  the  following  reasons: 

The  two  existing  key  management  schemes  fall  within 
the  class  of  certificate-based  public  key  management  as 
CTPKM  for  fair  performance  comparison. 

As  CTPKM,  both  schemes  use  the  concept  of  trust  as  the 
basis  of  decision  making  such  as  selecting  a  trustwor¬ 
thy  CA  [20]  and  authenticating  the  certificate  of  a  pub¬ 
lic  key  of  a  target  node  based  on  the  web  of  trust  of 
intermediate  nodes  in  the  certificate  path  [21], 

Chang  and  Kuo’s  work  [20]  represents  a  centralized 
public  key  management  with  the  existence  of  a  trusted 
party  as  is  often  assumed  in  many  existing  works. 
Dahshan  and  Irvin’s  work  [21]  follows  the  concept  of 
the  web  of  trust  as  is  often  used  in  many  existing 
works  to  ensure  accurate  trust  assessment  of  entities  in 
traditional  security  services  such  as  PGP. 

We  explain  how  they  are  implemented  in  detail  as  fol¬ 
lows: 

Trust-based  back-up  CA/CA  key  management 
(TBA/CA)  [20]:  This  work  uses  trust  to  select  the 
CA  and  back-up  CA  (BCA)  for  key  management  in 
MANETs.  We  tailor  it  to  fit  the  network  environment 
targeted  in  this  work  for  fair  comparison.  In  TBA/CA, 
the  most  trustworthy  node  with  the  highest  overall 
trust  value  (assuming  an  equal  weight  for  the  three 
trust  components)  becomes  the  CA  and  the  next  high¬ 
est  trustworthy  node  becomes  the  BCA.  When  the  CA 
is  leaving,  the  BCA  takes  the  role  of  the  new  CA  and 
accordingly  a  new  BCA  is  selected.  Like  CTPKM,  the 
trust  metric  is  based  on  the  combination  of  direct 
and  indirect  evidence.  However,  the  indirect  evidence 
used  in  this  scheme  is  based  on  the  derived  measured 
trust  with  all  nodes  (except  the  target  node)  serving 
as  the  recommenders.  This  is  in  contrast  to  CTPKM 
which  uses  only  1-hop  neighbors  of  the  target  node  as 
the  recommenders  where  indirect  evidence  is  derived 


based  on  the  recommender’s  direct  experience  in 
order  to  avoid  any  impact  of  compromised  nodes  on 
the  source  of  indirect  recommendation  [10],  Also  in 
TBA/CA,  the  CA  maintains  all  key  pairs  and  dissemi¬ 
nates  a  key  pair  to  the  intended  owner  regardless  of 
the  status  of  the  owner  node  (whether  the  node  is 
compromised  or  not).  We  apply  equal  weight  to  direct 
and  indirect  evidence. 

•  Key  management  in  web  of  trust  (KMiWoT)  [21]:  In 

this  scheme,  each  node  issues  a  pair  of  private/public 
keys  and  gets  a  certificate  issued  by  a  neighbor  node 
who  believes  there  is  a  binding  between  this  node’s 
ID  and  its  public  key.  To  compute  the  trust  of  a  tar¬ 
get  node,  a  node  first  finds  a  certificate  chain  of  pub¬ 
lic  keys,  the  last  of  which  is  the  public  key  of  the  tar¬ 
get  node  under  trust  evaluation.  Then  the  trust  value 
of  the  target  node  is  computed  by  the  product  of  trust 
values  of  the  intermediate  nodes  on  the  path  of  the  cer¬ 
tificate  chain.  Essentially  trust  in  KMiWoT  means  trust 
in  the  certificate  authenticating  a  public  key  belongs  to 
a  particular  node.  A  node  can  obtain  the  authenticated 
public  key  of  a  target  node  via  two  ways:  (1)  the  node 
itself  issues  a  certificate  to  the  target  node  who  had  re¬ 
quested  its  public  key  to  be  certified;  (2)  the  node  finds 
a  certificate  chain  leading  to  the  target  node’s  public 
key.  Trust  estimation  relies  on  the  existence  of  a  cer¬ 
tificate  chain  to  obtain  authenticated  public  keys.  If  no 
certificate  chain  is  found,  trust  will  not  be  updated. 

4.3.  Comparative  performance  analysis 

In  this  section,  we  compare  the  performance  of  CTPKM 
with  non-trust-based  and  trust-based  counterparts  includ¬ 
ing  NTB,  TBA/CA  [20],  and  KMiWoT  [21]  under  varying  pa¬ 
rameter  values  including  trust  threshold  ( Trh ),  the  percent¬ 
age  of  compromised  nodes,  and  attack  intensity  (Pa). 

4.3.1.  Effect  of  trust  threshold 

First  we  examine  the  impact  of  a  trust  threshold  Tth  on 
the  trust  bias  and  four  performance  metrics  as  discussed  in 
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(a)  Trust  bias  in  competence  (Bc )  vs.  Tth 


—  CTPKM  •••■  KMiWOT  -o- TBA/CA 

1  r 


Tth 


(e)  Communication  Cost  (C )  vs.  Tj/j 


Fig.  2.  Effect  of  trust  threshold  <TLh  )  on  trust  bias  and  performance. 


1047  Section  3.4.  In  Fig.  2,  we  compare  the  performance  of  three 

1048  trust-based  approaches,  CTPKM,  KMiWoT,  and  TBA/CA  as 

1049  all  trust-based  schemes  use  a  trust  threshold  as  a  design 

1050  feature. 

1051  Fig.  2(a)  shows  trust  bias  in  competence  (Bc)  of  three 

1052  trust-based  schemes.  When  Tth  <  0.4,  Bc  is  somewhat  flue- 

1053  tuating  but  the  overall  performance  is  ordered  as  CTPKM 

1054  ss  TBA/CA  >  KMiWoT.  The  high  inaccuracy  of  trust  estima- 

1055  tion  in  KMiWoT  is  because  peer-to-peer  trust  estimation 


is  only  possible  when  each  node  has  the  certificate  of  a  1056 
peer’s  public  key.  In  KMiWoT,  a  node  can  issue  a  certifi-  1057 
cate  of  a  peer’s  public  key  only  when  the  peer’s  trust  value  1058 
is  higher  than  a  given  trust  threshold.  Thus,  if  a  node’s  1059 
public  key  certificate  is  not  available,  trust  cannot  be  up-  1060 
dated.  In  addition,  when  two  nodes  are  apart  with  more  1061 
than  1-hop  distance,  the  trust  of  a  trustor  toward  a  trustee  1062 
is  calculated  based  on  the  sum  of  trust  values  obtained  1063 
from  multiple  paths  (if  available)  where  each  trust  value  is  1064 
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computed  based  on  the  product  of  trust  values  of  all  in¬ 
termediate  nodes  on  the  path  [21].  Under  a  highly  dy¬ 
namic  environment  such  as  MANETs,  a  path  between  two 
nodes  may  not  exist.  In  addition,  even  if  there  exists  any 
path  between  two  distant  nodes,  the  product  of  trust  val¬ 
ues  of  all  intermediate  nodes  can  decay  trust  values  too 
quickly,  which  leads  to  high  inaccuracy  of  trust  estimation 
(i.e.,  high  trust  bias)  in  KMiWoT  as  shown  in  Fig.  2(a).  The 
trends  of  the  trust  biases  in  the  other  two  dimensions  are 
similar,  thus  we  do  not  show  them  due  to  space  constraint. 

In  Fig.  2(b),  we  compare  the  fraction  of  correct  pub¬ 
lic  keys  (J7)  of  the  three  trust-based  key  management 
schemes  under  varying  Tth.  KMiWoT  performs  comparably 
or  better  than  CTPKM  and  TBA/CA  under  Tth  <  0.2.  When 
Tth  >  0.2,  the  performance  order  is  as  CTPKM  >  TBA/CA  > 
KMiWoT.  In  particular,  it  is  noticeable  that  KMiWoT  crashes 
when  T[h  >  0.3  because  of  high  trust  bias.  The  low  perfor¬ 
mance  of  TBA/CA  compared  to  CTPKM  is  because  TBA/CA 
does  not  filter  recommendations  (i.e.,  indirect  trust  evi¬ 
dence)  while  CTPKM  only  uses  recommendations  filtered 
from  trustworthy  sources  based  on  Tth-  In  Fig.  2(c),  we 
compare  service  availability  (.4)  performances  of  the  three 
schemes.  Similar  to  the  trends  observed  in  Fig.  2(b),  when 
Tth  >  0.3,  the  performance  order  is  observed  as  CTPKM  > 
TBA/CA  >  KMiWoT  due  to  high  trust  bias  in  KMiWoT  and 
unfiltered  recommendations  used  in  TBA/CA. 

In  Fig.  2(d),  we  compare  the  performance  of  the  three 
schemes  in  information  risk  ('ll),  in  all  cases,  lower  infor¬ 
mation  risk  is  observed  as  Tth  increases  because  a  high 
trust  threshold  only  allows  public  key  generation  and  dis¬ 
tribution  of  highly  trustworthy  nodes.  When  Tth  >  0.1,  we 
observe  significantly  high  performance  of  CTPKM  in  infor¬ 
mation  security,  compared  to  the  other  two  schemes,  with 
the  performance  order  of  CTPKM  >  KMiWoT  >  TBA/CA. 
TBA/CA  shows  the  highest  information  risk  because  it  can¬ 
not  deal  with  the  case  that  a  CA  or  back-up  CA  is  com¬ 
promised.  KMiWoT  also  shows  a  higher  information  risk 
than  CTPKM  because  of  high  trust  bias.  In  Fig.  2(e),  we 
compare  the  communication  overhead  ( C )  of  the  three 
schemes  and  observed  the  performance  order  of  KMi¬ 
WoT  >  CTPKM  >  TBA/CA.  Although  KMiWoT  performs  the 
best  among  three  in  C,  its  performances  in  T  and  A  are 
very  low,  which  offsets  the  merit  of  KMiWoT  compared  to 
CTPKM. 

For  the  next  two  sections,  we  vary  the  percentage 
of  compromised  nodes,  Pc,  and  the  degree  of  attack  in¬ 
tensity,  Pa,  and  investigate  their  impact  on  the  perfor¬ 
mance  metrics.  In  order  to  use  the  same  trust  thresh¬ 
old  in  all  schemes  for  fair  comparison,  we  chose  0.3  as 
the  trust  threshold  even  though  an  optimal  trust  thresh¬ 
old  can  be  differently  selected  in  each  scheme.  We  set 
Pa  =  0.5  and  Pc  =  0.2  unless  they  are  varied  for  sensitivity 
analysis. 

4.3.2.  Effect  of  percentage  of  compromised  nodes 

This  section  shows  the  performance  comparison  of  the 
four  schemes  as  the  percentage  of  compromised  nodes, 
Pc,  varies.  Fig.  3(a)  shows  trust  bias  in  competence  (Bc) 
for  the  three  trust-based  schemes.  In  Fig.  3(a),  as  Pc  in¬ 
creases,  more  compromised  nodes  exist  in  the  network.  In 
this  case,  CTPKM  performs  better  than  or  at  least  compara¬ 


ble  to  TBA/CA  because  more  compromised  nodes  will  deter 
each  node  from  obtaining  accurate  trust  evidence.  We  ob¬ 
serve  that  KMiWoT  performs  the  worst  among  three  due 
to  the  way  of  trust  estimation  using  excessive  trust  decay 
over  space  and  a  lack  of  paths  existing  between  nodes  that 
have  each  other’s  public  key  certificates.  In  Fig.  3(b),  we 
compare  the  fraction  of  correct  public  keys  (2r)  of  the  three 
trust-based  schemes  and  one  non-trust  based  scheme.  The 
performance  order  is  NTB  >  CTPKM  >  TBA/CA  ks  KMiWoT. 
Although  NTB  performs  the  best  among  three  in  this  met¬ 
ric,  it  loses  its  advantage  because  it  incurs  high  informa¬ 
tion  risk  (see  Fig.  3(d)).  Compared  to  the  performance  of 
TBA/CA  and  KMiWoT,  CTPKM  performs  significantly  bet¬ 
ter  with  the  minimum  information  risk  exposed.  Fig.  3(c) 
shows  the  performance  comparison  of  the  four  schemes 
in  service  availability  (.4)  with  the  performance  order  of 
CTPKM  >  NTB  KMiWoT  >  TBA/CA  overall.  With  the  same 
reason  discussed  in  Fig.  2(d)  and  (e),  the  performance  or¬ 
der  in  information  risk  (7 1)  is  as  CTPKM  >  KMiWoT  > 
TBA/CA  >  NTB  in  Fig.  3(d)  while  the  performance  order 
in  communication  cost  (C)  is  KMiWoT  >  NTB  >  CTPKM  > 
TBA/CA  in  Fig.  3(e).  KMiWoT  incurs  the  least  communica¬ 
tion  overhead  because  it  leverages  the  existence  of  public 
key  certificates  for  trust  estimation  which  does  not  intro¬ 
duce  extra  communication  overhead.  Also,  it  does  not  per¬ 
form  trust  assessment  in  the  absence  of  the  public  key  cer¬ 
tificates. 

4.3.3.  Effect  of  attack  intensity 

Lastly  this  section  demonstrates  the  performance  of  the 
four  schemes  as  the  attack  intensity,  Pa,  varies.  In  Fig.  4(a), 
we  observe  a  similar  trend  of  trust  bias  in  competence 
of  the  three  trust-based  schemes  like  Fig.  3(a),  with  the 
performance  order  of  CTPKM  >  TBA/CA  >  KMiWoT.  In 
Fig.  4(a),  as  the  attack  intensity  ( Pa )  increases,  CTPKM  sig¬ 
nificantly  outperforms  its  trust-based  counterparts  partic¬ 
ularly  when  Pa  >  0.4.  When  Pa  <  0.4,  TBCA/BA  performs 
better  than  CTPKM  because  TBCA/BA  uses  more  trust  ev¬ 
idence  at  the  expense  of  a  high  communication  overhead 
(since  it  uses  recommendations  from  all  nodes  in  the  net¬ 
work)  and  can  achieve  a  high  accuracy  of  trust  estimation 
when  the  attack  intensity  is  low.  On  the  other  hand,  when 
the  attack  intensity  is  high,  Pa  >  0.4,  it  helps  CTPKM  accu¬ 
rately  estimate  trust  because  an  attacker  will  consistently 
exhibit  the  same  bad  behavior. 

In  Fig.  4(b),  the  trends  of  performance  comparison  in 
T  are  similar  to  those  in  Fig.  3(b).  However,  one  noticeable 
difference  is  that  NTB  drops  its  performance  with  the  high¬ 
est  attack  intensity,  1,  because  NTB  has  no  defense  feature 
against  high  attack  intensity.  This  is  also  clearly  supported 
by  the  highest  information  risk  ('ll)  in  NTB  with  the  high¬ 
est  attack  intensity,  as  observed  in  Fig.  4(d). 

The  performance  trends  in  information  risk  ('ll)  and 
communication  overhead  (C)  in  Fig.  4(c)  and  (e)  are  sim¬ 
ilar  to  those  in  Fig.  3(c)  and  (e).  With  DoS  attacks,  a  com¬ 
promised  node  can  keep  requesting  public  keys  of  other 
nodes  even  if  it  already  has  their  public  keys  in  order  to 
increase  traffic  which  can  waste  the  network  resource.  A 
trust-based  key  management  scheme  would  make  a  de¬ 
cision  for  key  management  operations  such  as  issuance, 
distribution,  request,  and  update  based  on  the  requesting 
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(d)  Information  Risk  (TZ )  vs.  Pc 


(e)  Communication  Cost  (C )  vs.  Pc 
Fig.  3.  Effect  of  percentage  of  compromised  nodes  (Pc)  on  trust  bias  and  performance. 


1185  node’s  trust.  Therefore,  an  accurate  trust  protocol  such  as 

1186  CTPKM  can  ignore  requests  issued  from  “untrustworthy” 

1187  nodes,  thereby  effectively  thwarting  DOS  attacks.  Conse- 

1188  quently,  CTPKM  is  relatively  insensitive  to  the  increased 

1189  percentage  of  compromised  nodes  Pc  or  increased  attack 

1190  intensity  Pa  in  communication  cost  as  shown  in  Figs.  3(e) 

1191  and  4(e),  respectively.  However,  a  non-trust-based  scheme 

1192  such  as  NTB  will  serve  all  requests  even  from  compromised 

1193  nodes  because  it  does  not  use  trust  for  decision  making. 

1194  This  causes  a  significant  traffic  increase  as  Pc  or  Pa  in¬ 


creases,  as  demonstrated  in  Figs.  3  (e)  and  4(e),  respec-  1195 
tively.  1196 

In  TBA/CA  and  KMiWoT,  we  do  not  observe  much  1197 
sensitivity  of  the  performance  over  varying  attack  inten-  1198 
sity.  Although  KMiWoT  has  slightly  better  performance  1199 
than  CTPKM  in  information  risk  when  the  attack  in-  1200 
tensity  is  high,  the  information  risk  {TV)  of  KMiWoT  in  1201 
general  is  too  high.  A  reason  is  that  KMiWoT  performs  1202 
poorly  in  the  fraction  of  correct  public  keys  {F),  as  shown  1203 
in  Fig.  4(b).  1204 


Please  cite  this  article  as:  J.-H.  Cho  et  al.,  Trust  threshold  based  public  key  management  in  mobile  ad  hoc  networks,  Ad 
Hoc  Networks  (2016),  http://dx.doi.Org/10.1016/j.adhoc.2016.02.014 


1205 

1206 

1207 

1208 

1209 

1210 

1211 

1212 

1213 

1214 

1215 


1216 

1217 

1218 

1219 

1220 

1221 

1222 

1223 

1224 

1225 

1226 

1227 


ARTICLE  IN  PRESS 


JID:  ADHOC  [m3Gdc;  March  5 ,  20 1 6;  1 3:51] 

16  J.-H.  Cho  et  al./Ad  Hoc  Networks  xxx  (2016)  xxx-xxx 


(a)  Trust  bias  in  competence  (Bc  )  vs.  Pa 
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(d)  Information  Risk  (1Z)  vs.  Pa 
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(e)  Communication  Cost  (C )  vs.  Pa 
Fig.  4.  Effect  of  attack  intensity  (P„)  on  trust  bias  and  performance. 


5.  Conclusions 

In  this  paper,  we  proposed  a  CTPKM  for  MANETs.  Con¬ 
sidering  three  different  trust  dimensions,  namely,  compe¬ 
tence,  integrity,  and  social  contact,  CTPKM  enables  a  node 
to  make  decisions  while  interacting  with  others  based  on 
their  trust  levels.  We  devised  four  performance  metrics  to 
analyze  the  impact  of  our  trust  threshold  based  public  key 
management  design  on  security  vulnerability  (i.e.,  informa¬ 
tion  risk),  availability  (i.e.,  fraction  of  valid,  correct  and  un¬ 
compromised  public  keys  and  service  availability),  and  cost 
(i.e.,  communication  cost). 


The  design  of  the  proposed  trust  metric  and  trust- 
based  key  management  scheme  properly  reflects  the  de¬ 
sirable  properties  of  trustworthy  systems  for  MANET  envi¬ 
ronments  [5]  discussed  in  Section  2  in  the  following  way: 
(1)  the  use  of  a  trust  threshold  adjusts  potential  risk  and 
thus  mitigates  the  impact  of  risk;  (2)  trust  is  measured 
based  on  node  behavioral  evidence  in  the  context  of  key 
management;  (3)  a  node  decides  whether  to  trust  other 
nodes  in  the  process  of  key  management  operations  in  or¬ 
der  to  maximize  the  distribution  of  valid  public  keys;  (4)  a 
node  learns  other  nodes’  trust  over  time  based  on  past  ex¬ 
perience  in  addition  to  new  evidence;  and  (5)  our  design 
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enhances  both  security  and  performance,  leading  to  a  high 
system  reliability. 

We  conducted  a  comparative  performance  analysis  of 
our  proposed  CTPKM  against  a  counterpart  non-trust- 
based  scheme  and  two  existing  trust-based  key  manage¬ 
ment  schemes.  We  found  that  CTPKM  with  a  trust  thresh¬ 
old  design  to  filter  untrustworthy  messages  or  operations 
can  minimize  security  vulnerability  while  achieving  high 
availability,  without  incurring  high  communication  cost.  In 
this  work,  we  assumed  a  single  threshold  for  node  trust¬ 
worthiness  classification.  As  a  future  work  direction,  we 
plan  to  investigate  more  sophisticated  fuzzy  failure  crite¬ 
ria  as  in  [44-46]  to  further  enhance  CTPKM  performance. 
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